Needed Improvements to the Data Security and Breach Notification Act

We read about hacks into major companies’ data banks seemingly every few months. The most recent high profile breach exposed health data on as many as 80 million Americans. Despite the prevalence of data breaches, however, federal law does not always provide legal recourse against companies whose poor security or breach notification procedures led to or exacerbate the effects of a breach. The latest legislative effort to address these issues is the Data Security and Breach Notification Act of 2015. The draft is scheduled for hearing before the House Energy & Commerce committee tomorrow.

The bill is a bipartisan effort led by Congresswoman Marsha Blackburn and Congressman Peter Welch, and is intended to replace the existing patchwork of state and federal data security and breach notification laws. There are currently 47 state data breach laws. Although there is no federal data breach standard, some federal privacy laws include data breach provisions, including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB). Additionally, the FTC Act and Communications Act include security and breach notification requirements for certain data. CDT has previously outlined what should be included in a federal data breach law.

In order to advance consumer protections beyond the status quo, any national standard should offer consumers greater protections than existing state and federal laws

Welch and Blackburn are among a number of legislators who introduced federal data breach bills in 2015. There are aspects of the Data Security and Breach Notification Act that we like: for example, the draft bill would implement a “notify unless” standard and requires automatic notification to the FTC if the number of individuals impacted by the breach exceeds 10,000 (although it is debatable whether this number should be lower). However, in order to advance consumer protections beyond the status quo, any national standard should offer consumers greater protections than existing state and federal laws. The Data Security and Breach Notification Act must be augmented in key respects in order to achieve this goal:

The draft bill’s preemption provision is vague. The definition of “breach of security” is limited enough in scope that it may allow states to pass laws on other sets of data not covered in this definition. On the other hand, the provision on preemption is broad enough that it would possibly prevent states from continuing to enforce or passing any law that addresses data security and/or breach notification — regardless of whether the state law covers data sets not covered in the federal law. This would essentially halt state innovation on data breach and limit national data breach response only to “financial” harm and data related to financial harm.

The definition of personally identifiable information is fairly narrow. The Act’s definition of PII is limited to data that could lead to financial harm — which is what breach notification laws were originally designed to address. Over time though, some states have recognized that consumer have a privacy interest in knowing when other data sets are exposed — like personal photos, documents or emails. Ideally the definition of personally identifiable information should be broadened to include non-financial information (such as photos stored in a cloud). If PII is not defined broadly, the law’s preemptive effect must be narrow enough to allow for states to innovate on data breach laws for data sets not covered in the federal law.

The bill’s enforcement provisions as it relates to data security must be strengthened. Only fining per day for delayed notification (and capping fines at $11,000 per day) would not deter large companies from unreasonably delaying notification to consumers.

The bill should require reasonable security as well as creation of a security plan. While CDT generally supports a “reasonable security” standard for data, federal law should also require that companies have dedicated processes in place to evaluate the security of data collected. This would provide the FTC with clear authority to enforce the law’s security provision. It would also force companies to recognize and respond to the risks inherent in poor data security practices.

Finally, the bill should not prevent the FCC from enforcing its existing data breach regulations and rules against telecommunications and cable entities. The draft proposes removing FCC jurisdiction over certain privacy protections for consumers’ telephone records provided for in the Communications Act. These Communications Act notification laws extend beyond financial harm, so the bill would essentially replace these laws with a weaker standard. As mentioned in our joint letter opposing the President’s data breach legislative proposal, a data breach bill designed to expand protections for consumer data should not eliminate existing privacy protections.

These changes will significantly strengthen the current bill and help ensure that the federal standard enhances consumer protections. We are encouraged by Congressman Welch’s efforts to work with consumer advocates to improve the draft and look forward to assisting this effort in the weeks to come.